The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

English: An example of a United States Department of Defense Common Access Card, from http://www.cac.mil/ (Photo credit: Wikipedia)

As the smartphone industry continues to subsume and disrupt multi-billion markets (e.g. digital cameras, GPS navigation devices, portable media players, portable gaming consoles, etc.), is the billion dollar plus market for multi-factor authentication (e.g. smartcards, tokens, etc.) the next to be disrupted by the mobile device revolution? Apple’s pending acquisition of Authentec signals the answer will be yes. The end result may be fewer problems with passwords and a dramatic increase in mobile ecommerce.

As I discussed in a Forbes blog post last year, we have a serious problem with passwords, namely with users having too many passwords on the Internet that can be easily stolen via phishing attacks and/or stolen via massive hacks of popular websites’ password files. As arstechnica notes in this article, given that the “average web user maintains 25 separate accounts but uses just 6.5 passwords to them” it is not surprising users are significantly reusing their passwords. Couple this with the fact that many use their email address as their login across multiple web properties, the end result is “once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts.”

Ironically, the industry has known about the problems with passwords even before the explosion of the Internet. As discussed in the Wikipedia entry on this topic, two-factor (also known as multi-factor) authentication has been around for decades. Just having a single factor — e.g. a password — for logging into a computer account is not as secure as it is possible that a password can be stolen or guessed. But if you were to have some other “factors” — such as something you have (e.g. an ATM card or a smartcard) and/or something that uniquely identifies you (e.g. a biometric characteristic such as a fingerprint or retina scan) — by combining these factors alongside your password it makes it harder for someone to break into your account. A simple example of multi-factor authentication is how we access our bank account using an ATM machine: we gain access via our ATM card (something we have) and our PIN to our account (something we know). As the Wikipedia entry notes, “without the corroborating verification of both of these factors, authentication does not succeed.”

The need for multi-factor authentication in the corporate world alone has led to a billion dollar plus industry with vendors creating solutions ranging from smartcards and smartcard readers to tokens (think of tokens as keyfobs that every 60 seconds or at the push of a button can generate a one-time keycode) to software and hardware that can verify a user’s fingerprint or other biometric characteristics. One such vendor of multi-factor authentication tokens, RSA Security, was acquired by EMC for $2.1 billion in 2006. And it is not just corporation that are big into multi-factor authentication: one of the biggest users of smartcard technology is the United States Government. In August of 2004 the Homeland Security Presidential Directive 12 (HSPD-12) was issued that calls for a “mandatory, government-wide standard for secure and reliable forms of ID issued by the federal government to its employees and employees of federal contractors for access to federally-controlled facilities and networks.” That ID for federal government employees and contractors is the Personal Identification Verification (PIV) card and for Department of Defense workers that ID card is the Common Access Card (CAC).

Multi-factor authentication sounds like a great way to reduce the likelihood of stolen passwords, but handing out thousands of tokens or smartcards is an expensive proposition for any corporation for their internal users. But what about addressing the need for millions of consumers who have accounts on multitudes of websites? It is fine to have one ATM card for my bank account, as most likely most consumers bank at just one bank, and my ATM card can work at ATMs of banks that I don’t have an account at (albeit in many cases for small fee). But do I want a corresponding smartcard or token for each online website that I access and do business with? And do I want to carry around a card reader for every type of computing device I may use? Probably not, even assuming any ecommerce sites are willing to hand out a smartcard or token to allow their customers to access their accounts on their sites.

But there is one constant item that most corporate and government users have in their possession and what the great mass of consumers increasingly has: a smartphone. So the “something you have” factor of multi-factor authentication can be addressed with a smartphone. For example, a smartphone can be correlated with a person’s identity, and upon request a SMS text can be sent with a one-time passcode that can be entered in addition to your username and password on a website. In effect the smartphone becomes a replacement for a fob or token. Or a smartphone can in effect become the equivalent of a smartcard, with an identity credential stored on the phone, and can communicate to a computing device or even a physical access control system via near field communication (NFC). As noted by this whitepaper by the Smart Card Alliance, no doubt in the near future we will see business travelers receive their hotel room key on their smartphones (and wave their phone in front of their room to gain access and bypass the check-in process with the hotel front desk), or we will see a doctor walk up to a workstation at the hospital and be able to securely login in part by simply having their smartphone in their pocket.

But of course not only passwords can be stolen, but so can smartphones. That’s why the third factor in multi-factor authentication also becomes important — something that uniquely identifies you, such as your fingerprint. By integrating fingerprint reading hardware and software into a smartphone, you seamlessly get that additional factor in authentication. That is exactly the path Apple is taking when it announced the acquisition of AuthenTec back in July. Apple has your Apple ID, which has your credit card information to allow you to make online purchases, and it knows what devices are tied to your Apple account via iCloud, and to complete the ability to make secure, multi-factor authentication transactions your iPad or iPhone will no doubt also in the near future be able to validate if it is really you via your fingerprint. This means we can expect the newly introduced Passbook application in iOS 6 — in effect a digital wallet — to further take off when users and merchants can see that a transaction can only occur with biometric verification.

And as noted by my fellow Forbes blogger Maribel Lopez, smartphones can also seamlessly add a fourth factor — location — that makes it even harder to spoof and hack someone’s online accounts.

Another potential signal that the future of multi-factor authentication is not with smartcards or tokens but with smartphones is Apple’s decision to deprecate support for smart card services in Mac OS X. Why invest in this type of authentication when a smartphone can integrate additional factors such as biometrics and location?

So it seems clear that not only smartphones are going replace many of your existing smartcards, keyfobs, etc. that you have in your wallet or on your keychain, but will further accelerate your ability to conduct secure online transactions and reduce the damage caused by hackers stealing passwords. In the end the $356 million that Apple is paying for Authentec may be another a great move that can lead to billions in additional hardware and ecommerce sales for Apple.

[Disclaimer note: my company, Centrify, recently introduced some free software that provides smartcard services for the Mac, e.g. support for CAC and PIV cards. We do not currently offer solutions for multi-factor authentication built into smartphones which is the topic of this article.]